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Abstract 


This document reclassifies the RFCs related to the United States 
National Security Agency (NSA) Suite B cryptographic algorithms as 
Historic, and it discusses the reasons for doing so. This document 
moves seven Informational RFCs to Historic status: RFCs 5759, 6239, 
6318, 6379, 6380, 6403, and 6460. In addition, it moves three 
obsolete Informational RFCs to Historic status: RFCs 4869, 5008, and 
5430. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are candidates for any level of Internet 
Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
https://www.rfc-editor.org/info/rfc8423. 
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Copyright Notice 


Copyright (c) 2018 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(https://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 
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1. Introduction 


Several RFCs profile security protocols for use with the National 

Security Agency (NSA) Suite B Cryptography. Suite B is no longer 

supported by NSA, and the web pages that specify the cryptographic 
algorithms are no longer available. 


In July 2015, NSA published the Committee for National Security 

Systems Advisory Memorandum 02-15 as the first step in replacing 
Suite B with NSA’s Commercial National Security Algorithm (CNSA) 
Suite. Information about the CNSA Suite can be found in [CNSA]. 
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2's 


Rationale 
As indicated in [CNSA], NSA is transitioning from Suite B to the CNSA 
Suite. As a result, the profiles of the security protocols for the 
Suite B algorithms are now only of historic interest. 

The RFCs Related to Suite B 

Between 2007 and 2012, several Suite-B-related RFCs were published to 
profile security protocols for use with the Suite B algorithms. They 


are: 


o [RFC4869], "Suite B Cryptographic Suites for IPsec" (Obsoleted by 
RFC 6379) 


o [RFC5008], "Suite B in Secure/Multipurpose Internet Mail 
Extensions (S/MIME)" (Obsoleted by RFC 6318) 


o [RFC5430], "Suite B Profile for Transport Layer Security (TLS)" 
(Obsoleted by RFC 6460) 


o [RFC5759], "Suite B Certificate and Certificate Revocation List 
(CRL) Profile" 


o [RFC6239], "Suite B Cryptographic Suites for Secure Shell (SSH)" 


o [RFC6318], "Suite B in Secure/Multipurpose Internet Mail 
Extensions (S/MIME) " 


o [RFC6379], "Suite B Cryptographic Suites for IPsec" 


o [RFC6380], "Suite B Profile for Internet Protocol Security 
(IPsec) " 


o [RFC6403], "Suite B Profile of Certificate Management over CMS" 
o [RFC6460], "Suite B Profile for Transport Layer Security (TLS)" 


Documents That Reference the Suite-B-Related RFCs 


These RFCs reference each other several times. These cross- 
references are not examined further in this document. 


Other RFCs make reference to these Suite-B-related RFCs; these 
references are discussed in the following subsections. 
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4.1. Documents That Reference RFC 4869 
One other RFC makes reference to RFC 4869 [RFC4869]. 
RFC 6071, "IP Security (IPsec) and Internet Key Exchange (IKE) 
Document Roadmap" [RFC6071], points out that RFC 4869 adds four pre- 
defined suites based upon Suite B specifications. They are: 
o IKE/ESP suite "Suite-B-GCM-128" 
o IKE/ESP suite "Suite-B-GCM-256" 
o IKE/AH suite "Suite-B-GMAC-128" 
o IKE/AH suite "Suite-B-GMAC-256" 
In each case, these suite definitions make use of algorithms that are 
defined in other RFCs. No interoperability or security concerns are 
raised if implementations continue to make use of these suite names. 
4.2. Documents That Reference RFC 5759 
One other RFC makes reference to RFC 5759 [RFC5759]. 
RFC 6187, "X.509v3 Certificates for Secure Shell Authentication" 
[RFC6187], points out that RFC 5759 provides additional guidance for 
Elliptic Curve Digital Signature Algorithm (ECDSA) keys when used 
with Suite B. 
4.3. Documents That Reference RFC 6379 
One other RFC makes reference to RFC 6379 [RFC6379]. 
RFC 7321, "Cryptographic Algorithm Implementation Requirements and 
Usage Guidance for Encapsulating Security Payload (ESP) and 
Authentication Header (AH)" [RFC7321], points out that the AES-GCM 
algorithm is used by Suite B, and it has emerged as the preferred 


authenticated encryption method in IPsec. RFC 7321 has since been 
obsoleted by RFC 8221. 


4.4. Documents That Reference RFC 6403 
Two other RFCs make reference to RFC 6403 [RFC6403]. 
RFC 6402, "Certificate Management over CMS (CMC) Updates" [RFC6402], 


says that development of the profile for Suite B was the activity 
that demonstrated the need for these updates. 
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RFC 7030, "Enrollment over Secure Transport" [RFC7030], points out 
that the scenarios in Appendix of RFC 6403 are very similar to three 
of the scenarios described. 


4.5. Documents That Reference RFC 6460 
Three other RFCs make reference to RFC 6460 [RFC6460]. 
RFC 6605, "Elliptic Curve Digital Signature Algorithm (DSA) for 
DNSSEC" [RFC6605], states that material was copied liberally from RFC 
6460. The Standards Track status of RFC 6605 is not affected by RFC 


6460 moving to Historic status. 


RFC 7525, “Recommendations for Secure Use of Transport Layer Security 


(TLS) and Datagram Transport Layer Security (DTLS)" [RFC7525], 
observes that the Suite B profile of TLS 1.2 uses different 
ciphersuites. 


RFC 8253, "PCEPS: Usage of TLS to Provide a Secure Transport for the 
Path Computation Element Communication Protocol (PCEP)" [RFC8253], 
points to RFC 6460 for the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
and TLS_ECDHE_ECDSA_WITH_AES_256 _GCM_SHA384 ciphersuites. Both of 
these ciphersuites are defined in [RFC5289], which would have been a 
better reference. The Standards Track status of RFC 8253 is not 
affected by RFC 6460 moving to Historic status. 


5. Impact of Reclassifying the Suite-B-Related RFCs to Historic 
No interoperability or security concerns are raised by reclassifying 
the Suite-B-related RFCs to Historic status. As described in 
Section 4, none of the RFCs being moved to Historic status is the 
sole specification of a cryptographic algorithm or an identifier for 
a cryptographic algorithm. 

6. IANA Considerations 
This document has no IANA actions. 


7. Security Considerations 


No interoperability or security concerns are raised by reclassifying 
the Suite-B-related RFCs to Historic status. 


NSA is transitioning away from some of the cryptographic algorithms 
and key sizes that were employed in the Suite B profiles. 
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